Hi Borys, I can confirm you filtering on TCP flags is currently not possible in both nfacctd and sfacctd. Such implementation is not major work and can be done pretty quickly - i can drop you an email privately when the code is available in the CVS so you can test it working?
Apart from the above, just to be on the same page, you are already sure TCP flags in NetFlow will work for your scenario? NetFlow ORs all the TCP flags seen for a certain uni-directional flow up to the moment it's set for expiration. So if counting flags, for example, you should not seek for a full match but rather test with a logical AND. Cheers, Paolo On Tue, Aug 24, 2010 at 05:47:33PM +0200, Borys Owczarzak wrote: > Hi! > > I would like to logging some traffic to database: > TCP packets with flags SYN or FIN or RST to table "kancelaria" > UDP packets (1-of-100) to table "dupa" > ICMP packets (1-of-100) to table "icmp". > > My test configuration: > !START CONFIGURATION > daemonize: true > pidfile: /var/run/pmacctd.pid > syslog: daemon > !FOR PMACCTD USE PROMISC: TRUE > !promisc: true > !FOR NFACCTD USE NFACCTD_PORT: 2055 > nfacctd_port: 2055 > interface: eth2 > aggregate[kancelaria]: src_host, dst_host, src_port, dst_port, tcpflags > aggregate[dupa]:src_host, dst_host, src_port, dst_port > aggregate[icmpe]:src_host, dst_host, src_port, dst_port > aggregate_filter[kancelaria]: tcp[tcpflags] & (tcp-syn) != 0 || > tcp[tcpflags] & (tcp-fin) !=0 || tcp[tcpflags] & (tcp-rst) !=0 > aggregate_filter[dupa]: udp > aggregate_filter[icmpe]: icmp > sampling_rate[icmpe]:100 > sampling_rate[dupa]:100 > plugins: mysql[kancelaria], mysql[dupa], mysql[icmpe] > sql_db: pmacct > sql_optimize_clauses: true > sql_table[dupa]: dupa > sql_table[kancelaria]: kancelaria > sql_table[icmpe]: icmpe > sql_user: root > sql_passwd: regedit4 > sql_dont_try_update: true > sql_refresh_time: 1 > sql_history: 1d > !STOP CONFIGURATION > > I try it at pmacctd and nfacctd. When I use pmacct everything works > great. But problem is with nfacctd. It does not save data to kancelaria > table. When I erase from configuration "aggregate_filter[kancelaria]:" > when it saves packet. > > Somebody know why nfacct has got problem with these aggregate_filter? > > PS aggregate_filter[dupa] and aggregate_filter[icmpe] wors correctly. > > Kind regards > Borys Owczarzak > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
